Adding a child decoder for json decode.

[jacklut...@gmail.com]

Hello,

I need to decode a json log field "name": "'https://sites.google.com/view/78d7d87d78w87w8w88/btcon' warned due to filetype 'Windows Executable (exe)'",

to this   "name": "https://sites.google.com/view/78d7d87d78w87w8w88/btcon" , In here I need to remove this: - ' warned due to filetype 'Windows Executable (exe)'  values from that log. For that can i write a child decoder for json decoder in a seperate file?

[Selu López]

Hello!

Adding the below decoder to /var/ossec/etc/decoders/local_decoder.xml worked for me:

<decoder name="json_child"> <parent>json</parent> <regex>'(http\S+)' warned due to filetype 'Windows Executable \(exe\)'</regex> <order>url_path</order> </decoder>

This is the output in wazuh-logtest:

# /var/ossec/bin/wazuh-logtest Starting wazuh-logtest v4.7.0 Type one log per line {"name": "'https://sites.google.com/view/78d7d87d78w87w8w88/btcon' warned due to filetype 'Windows Executable (exe)'"} **Phase 1: Completed pre-decoding. full event: '{"name": "'https://sites.google.com/view/78d7d87d78w87w8w88/btcon' warned due to filetype 'Windows Executable (exe)'"}' **Phase 2: Completed decoding. name: 'json' url_path: 'https://sites.google.com/view/78d7d87d78w87w8w88/btcon'

Let me know if it’s what you were looking for.

​